Over 10,000 people that booked holidays abroad via online reservations aggregator Booking.com were the prime targets of a phishing scam, aiming to make them transfer hotel room payments to a bogus third party account, technology website The Register reports.

Targeted users reportedly received e-mails, claiming that for some reason the payment for the holiday they had booked failed and they were asked to make it again. The e-mail then pointed users to a Polish bank account, where they should transfer their holiday payment.

The message was further legitimised, because it includes the real name of the hotel the particular user actually booked rooms in, as well as the right dates they are booked for. The latter causes online security experts, quoted by the publication, to suspect that Booking.com has been targeted by a group of hackers who were able to extract real user information from the site.

In a statement addressing the issue, Booking.com acknowledged there has been a phishing attack on the site and said that it has a “dedicated team” currently working to resolve it. The site also said it is in contact with 10,000 users in relation with the attacks. The statement also points to the UK, UAE, Portugal, Italy, USA and France as the countries where Booking.com’s accommodation partners are being targeted.

After the story about the attack was published by the Register, the hackers appear to have changed their tactics and devised a different variation of the same scam. The new scam involves travellers receiving messages, urging them to pay for their booked rooms in advance, due to an alleged large number of last-moment cancellations.